Enumeration
Tools
SharpView: https://github.com/tevora-threat/SharpView (aggressor https://github.com/tevora-threat/PowerView3-Aggressor)
PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 (tips https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) (dev: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
ADModule: https://github.com/samratashok/ADModule (To use ActiveDirectory module without installing RSAT, we can use Import-Module for the valid ActiveDirectory module DLL)
Domain
Get Domain
Get-NetDomain
Get-NetDomain -Domain domain.localGet-ADDomain
Get-ADDomain -Identity domain.localGet Domain SID
Get-DomainSID
Get-DomainSID -Domain domain.local(Get-ADDomain).DomainSID
(Get-ADDomain -Identity domain.local).DomainSID Get Domain Policy
Get-DomainPolicy
(Get-DomainPolicy)."system access"
(Get-DomainPolicy –domain moneycorp.local)."system access"Get DCs
Get-NetDomainController
Get-NetDomainController –Domain moneycorp.local Get-ADDomainController
Get-ADDomainController -DomainName moneycorp.local -DiscoverUsers
Get a list of users in the current domain
Get-NetUser
Get-NetUser –Username student1Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *Get a list of all properties for users within domain
# Lists all properties available
Get-UserProperty
# Gets the value of a property for all users in domain
Get-UserProperty –Properties pwdlastset Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}Search for particular string in users attribute
Find-UserField -SearchField Description -SearchTerm "built" Get-ADUser -Filter 'Description -like "*built*"' Properties Description | select name,DescriptionGroups
Get all groups in current domain
Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *Get all groups containing admin in current domain
Get-NetGroup *admin* Get-ADGroup -Filter 'Name -like "*admin*"' | select Name Get members of domain admin group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse Get-ADGroupMember -Identity "Domain Admins" -Recursive Get the group membership for a user
Get-NetGroup –UserName "student1" Get-ADPrincipalGroupMembership -Identity student1Computers / Sessions
Get a list of computers in current domain
Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullDataGet-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -PropertiesList all local groups on a machine (needs admin privs to query non-dc machines)
Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -ListGroupsList members of local groups on a machine (needs admin privs on non-dc machines)
Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -RecurseGet actively logged on users on target (needs admin rights on target)
Get-NetLoggedon –ComputerName <servername>Get locally logged on users on target (needs remote registry enabled (started by default on servers))
Get-LoggedonLocal -ComputerName dcorpdc.dollarcorp.moneycorp.localGet the last logged on user on target (needs admin rights and remote registry enabled)
Get-LastLoggedOn –ComputerName <servername>Files
Find shares on hosts in current domain
Invoke-ShareFinder –VerboseFind sensitive files on computers within domain
Invoke-FileFinder –VerboseGet all file servers of domain
Get-NetFileServerGPO / OU
Get list of GPO in current domain
Get-NetGPO
Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local Get-GPO -All (GroupPolicy module)
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP)Get GPO which use restricted groups or groups.xml for interesting users
Get-NetGPOGroupGet users which are in a local group of a machine using GPO
Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.localFind machines where given user is a member of a specific group
Find-GPOLocation -UserName student1 -VerboseGet OUs in a Domain
Get-NetOU -FullData Get-ADOrganizationalUnit -Filter * -Properties *Get GPO applied on an OU
Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}"Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081 (GroupPolicy module)ACLs
Get ACLs associated with a specific object
Get-ObjectAcl -SamAccountName student1 –ResolveGUIDs(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp ,DC=local').AccessGet the ACLs associated with the specific prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -VerboseSearch for interesting ACEs
Invoke-ACLScanner -ResolveGUIDsGet the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"Trusts
Domain Trust Mapping
Get-NetDomainTrust
Get-NetDomainTrust –Domain us.dollarcorp.moneycorp.localGet-ADTrust Get-ADTrust –Identity us.dollarcorp.moneycorp.localForest Mapping
Get-NetForest
Get-NetForest –Forest eurocorp.local Get-ADForest
Get-ADForest –Identity eurocorp.localGet all domains in current forest
Get-NetForestDomain
Get-NetForestDomain –Forest eurocorp.local(Get-ADForest).Domains Get all global catalogues for the current forest
Get-NetForestCatalog
Get-NetForestCatalog –Forest eurocorp.local Get-ADForest | select -ExpandProperty GlobalCatalogsMap trusts of a forest
Get-NetForestTrust
Get-NetForestTrust –Forest eurocorp.local Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'Scripts
Find all machines on the current domain where the current user has local admin access (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine. Logon events for all machines, loud!)
Find-LocalAdminAccess –Verbose
Alternative: Find-WMILocalAdminAccess.ps1Find local admins on all machines of the domain (needs administrator privs on non-dc machines). (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.)
Invoke-EnumerateLocalAdmin –VerboseFind computers where a domain admin (or specified user/group) has sessions. (This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine).
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"Confirm admin access
Invoke-UserHunter -CheckAccess Find computers where a domain admin is logged-in. (This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using GetNetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.)
Invoke-UserHunter -StealthPrivEsc
Unconstrained Delegation
Get-NetComputer -UnConstrained
Get-DomainUser -AllowDelegation -AdminCountGet-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}Constrained Delegation
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuthGet-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateToASREP Roasting
Get-DomainUser -PreauthNotRequired -VerboseGet-ADUser -Filter {DoesNotRequirePreAuth -eq $True} Properties DoesNotRequirePreAuthClear Passwords
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | flLast updated
Was this helpful?